Does TLS 1.2 with SunPKCS11-NSS provider work in FIPS mode
Lighthart, Jenny
Jenny.Lighthart at Polycom.com
Tue Mar 31 17:09:15 UTC 2015
Hello Java Security Devs,
The following exception occurs while processing serverHelloDone during an attempt at TLS1.2 with NSS in FIPS mode (via modutil) .
java.security.NoSuchAlgorithmException: no such algorithm: SunTls12RsaPremasterSecret for provider SunPKCS11-NSS
Both the client and the server are running from a unit test using:
* JDK 1.8.0_31-b13
* nss-3.16.2.3-3
The same test runs fine in FIPS mode using TLS1.1 or TLS1.0. The same test also runs with TLS1.2 when the keystore is not in FIPS mode.
I am thinking that it is not supported. SunPKCS11-NSS provider needs to be updated with the SunTLS12* algorithms before this will work. The JSSE's ClientKeyExchange expects to be able to obtain a KeyGenerator specific to TLS1.2. When in FIPS mode, the crypto provider is SunPKCS11-NSS and it does not have the requested algorithm.
Can anyone confirm or deny this? Any ideas as to when it will be supported?
I've been all over the map trying to figure this one out. I am pretty sure at this point that it is not a problem with the NSS library. I can provide full stack trace and debug output as needed, but am hoping someone can answer first whether this configuration should be expected to work.
Thanks for your help,
Jenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20150331/409a0735/attachment.htm>
More information about the security-dev
mailing list